341e2c7a124853b1ef9d3b3f005512ac2fd735e73ef98013ab95c6345fc96821

General

Target

cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe
Size

146KB
MD5

cedcc9ca3e29a3eb5bce0f48b3f1adcf
SHA1

155461b5c31e69cab861aa95ec1aefc6d3a63714
SHA256

341e2c7a124853b1ef9d3b3f005512ac2fd735e73ef98013ab95c6345fc96821
SHA512

6ded7e8a051e67a78f9642f8beb12556bb4d0c4204c90fa786e05f381831fba1375e969ff38b62b1ecff3e0988534069cb0fdde0bd02511e9c09fdeb8caa0089
SSDEEP

3072:8YA8iTvJk6o/KNSVP6mj8BhaSzppyURXHFMWc0:K8iTvm6UKNyuhJnVz

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59875.exe	59875.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59875.exe	59875.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	10016.exe
1712	59875.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10016.exe = "C:\\Documents and Settings\\All Users\\Application Data\\10016.exe"	10016.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	10016.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	10016.exe
Token: SeDebugPrivilege	1712	59875.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	59875.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2276	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2276	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2276	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	28
PID 1748 wrote to memory of 1712	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	29
PID 1748 wrote to memory of 1712	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	29
PID 1748 wrote to memory of 1712	1748	cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2908	1712	59875.exe	30
PID 1712 wrote to memory of 2908	1712	59875.exe	30
PID 1712 wrote to memory of 2908	1712	59875.exe	30

C:\Users\Admin\AppData\Local\Temp\cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cedcc9ca3e29a3eb5bce0f48b3f1adcf_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\10016.exe
  "C:\Users\Admin\AppData\Local\Temp\10016.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\59875.exe
  "C:\Users\Admin\AppData\Local\Temp\59875.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 708
    3⤵
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10016.exe

Filesize
32KB

MD5
1adf492ac19d0f0aa331af9e261394a0

SHA1
a7e1959a3a8c195f809e9db035e7c58c2656db28

SHA256
cbda998a5a5670fbc1fb08b601819266eba1ec6e33d9dad7f2f6668b24cc013c

SHA512
de1950a46de22ea475c841e0a733f4f83327a4696dbcd2b433160e1c06fee9b68206864f8181cbc7d23e7fc1f442a2af9175f9a35a717ab454ec03bd5a42b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\59875.exe

Filesize
99KB

MD5
ee24abae9a5a7c521219df11dcffe351

SHA1
6c1db614926d74a7abdebf3b1d0665b1813087f4

SHA256
7a4daab76ec7d50afcfed4f593ec56da1cd88da45a3d818d7b2e57e0f281ffd7

SHA512
ca7fb91f12ba4b9ef5c16d56512ecd033f60980f4ab2f173b1cc4da2396f152db0194925a1ae7b1f46d5f3c33e8c205a43f956ba61945c215c5263ef0c2e6ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\logdll.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
memory/1748-0-0x000007FEF572E000-0x000007FEF572F000-memory.dmp

Filesize
4KB

Download
memory/1748-9-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-8-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-16-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-11-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-12-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-10-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-19-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-20-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads